Info

For the request, Whois, session, and user-agent objects, every string value should be enclosed in a single-quotes ' and not in double-quotes ".

request

AttributeTypeDescriptionCompiled source field
headersdictRequest headers
ipstringClient IPrequest.ip
request.ip == ‘117.20.32.5’ ||
request.ip == ‘117.20.32.4’
uristringDomain’s URI (URL path + arguments)request.uri
(‘/prehistoric/monotony/monotony.phtml’ or ‘/amfphp/services’) in request.uri
pathstringDomain’s URL pathrequest.path
request.path in [‘/process_neopet_desc.phtml’, ‘/modify_neomessages.phtml’]
methodstringHTTP method (uppercase).request.method
request.method == ‘OPTION’
origin_ipstringWeb application server IPrequest.origin_ip
request.origin_ip == ‘120.36.54.1’
ja3stringTLS fingerprint.request.ja3
request.ja3 == ‘e2925c27149b0d0dc34373d55040dde1’ or request.ja3 == ‘3e9b20610098b6c9bff953856e58016a’ or request.ja3 == ‘7d671906ed4a1edac3262a54676dacfa’
http_versionstringRepresents HTTP versionrequest.http_version
request.http_version in [‘1.1’]
is_api()functionReturns true if the request is APIrequest.is_api()
is_ajax()functionReturns true if the request is AJAXrequest.is_ajax()
is_static()functionReturns true if the request is staticrequest.is_static()
ip_in_rangefunctionReturns true if client IP is within the specified rangerequest.ip_in_range(<string>, <string>)
request.ip_in_range(‘72.21.217.0’, ‘72.21.217.255’)
or request.ip_in_range(‘2409:4072:6c8c:e228:ecaf:ce2c:fd7d:0000’, ‘2409:4072:6c8c:e228:ecaf:ce2c:fd7d:4780’)
rate_limitfunctionReturns true if the rate limit is exceeded for these parameters (the scope is ‘ip’/‘cluster’).
For parameter descriptions, check out the Rate limiting guide.		rate_limit(
[ip <string>, ...],
url <string>,
interval <int>,
requests <int>,
[method <string>,...],
[status_code <int>,...],
content_type <string>,
scope <string>
)
example:
request.rate_limit([], ’/’, 5, 200, [‘GET’, ‘HEAD’], [], ‘text/html; charset=’, ‘ip’)

whois

AttributeTypeDescriptionCompiled source field
countrystringTwo-letter country code (uppercase).whois.country
whois.country in [‘BR’, ‘VN’, ‘ID’]
orgstringOrganization name from the WHOIS database.whois.org
whois.org in [‘Google Inc’, ‘Google Inc.’, ‘Google LLC’, ‘Google Incorporated’]
owner_typestringOwner type of the range.whois.owner_type
whois.owner_type != ‘hosting services’

session

AttributeTypeDescriptionCompiled source field
request_counterintSequential number of the request within the session.session.session_request_counter
session.request_counter > 1000
profiling_statusstringClient’s fingerprint profiling status.

Values:
Initiated: JavaScript was injected in the response and sent to the client for execution.
Executed once: JavaScript was executed, and WAAP received preliminary results.
Profiling error: An error occurred during profiling.
Profiling completed: Profiling completed without error.
Idle: All JavaScript tests and fingerprinting process completed.		session.profiling_status
session.profiling_status == ‘idle’

response

AttributeTypeDescriptionCompiled source field
statusintHTTP status coderesponse.status
headersdictResponse headersresponse.headers[‘Access-Control-Allow-Credentials’] == ‘true’

tags

AttributeTypeDescriptionCompiled source field
exists(tag <string>)functionReturns true if the tag exists.tags.exists(<string>)
tags.any([<string>, <string>, …]) up to 10 tags
tags.all([<string>, <string>, …]) up to 10 tags
tags.any([‘proxynetwork’,‘hostingservices’])
tags.exists(‘penalty’)
any([tag <string>, …])functionReturns true if any of the tags exists.
all([tag <string>, …])functionReturns true if all tags exist.

user-agent

The ua_parsed table contains user agent information collected by WAAP from the source of the logged request.

AttributeTypeDescriptionCompiled source field
enginestringThe client engine. For example, Gecko.user_agent.engine
clientstringThe name of the client. An example of client name is “Firefox”.user_agent.client
client_typestringThe type of client. Optional values: Major browser, NA, Lib, Crawler, Custom browser, mobile app, Headless browser, Bot, Application, mail client, Site monitoring, RSS reader, Game console, Text browser, Network diagnostics, certificate authority, paying service.user_agent.client_type
‘major browser’ in user_agent.client_type
client_versionstringThe client engine’s version.user_agent.client_version
client_version_floatstringA possibly truncated version of the client browser engine’s version.user_agent.client_version_float
osstringThe client computer’s operating system. An example of os is “Mac OS X 10.14”.user_agent.os
cpustringThe client computer’s CPU. An example of CPU is “Intel”.user_agent.cpu
devicestringInformation about the client device. An example of a device is “mac”.user_agent.device
device_typestringAdditional information about the client device.

Optional values:
- Web search engine bots
- mobile
- NA
- SEO
- Analytics or marketing bots
- Preview bot
- Media or entertainment search bots
- Social media or blog bots
- RSS seed reader bots
- Site monitoring and web development bots
- Web archiver bots
- console
- Job search engine bots
- Online advertising bots
- News aggregator bots
- Academic or research bots
- Desktop
- Business intelligence bots
- Automated shopping cart and sniper bots
- Enterprise data aggregator bots
- Media player		user_agent.device_type
user_agent.device_type == ‘na’

client_data

AttributeTypeDescriptionCompiled source field
fingerprint[‘hash’]dictA table that contains fingerprint information about the request (the information is collected by WAAP with injected JavaScript):
  • fp__hash of the client
  • fp__js of the client
  • fp__flash of the client
  • fp__header of the client

client_data.fingerprint == ‘kvd8oxizrdl-41-37zpvwqrr-5tzoaavgfr7-v2osmr4iefe-noieo-90.3095389639745667’ 		client_data.fingerprint[‘hash’]client_data.fingerprint[‘hash’] == ‘9be394dca715eca8e42783397a507d2e’
fingerprint[‘js’]dictclient_data.fingerprint[‘js’]
fingerprint[‘flash’]dictclient_data.fingerprint[‘flash’]
fingerprint[‘header’]dictclient_data.fingerprint[‘header’]